Hello!
I have set up a guest network and I am in need of hardening its security, that means learn how it works to fix the issues. As for now, I've seen that "Intranet disabled" means dropping forwards on layer 2 with ebtables. What I do not get is why PING/DNS/DHCP/FORWARDING works but when I try to ssh the router or access its web interface from the guest network it will fail. I've searched for iptables rules for this but found none. What am I missing?
I have set up a guest network and I am in need of hardening its security, that means learn how it works to fix the issues. As for now, I've seen that "Intranet disabled" means dropping forwards on layer 2 with ebtables. What I do not get is why PING/DNS/DHCP/FORWARDING works but when I try to ssh the router or access its web interface from the guest network it will fail. I've searched for iptables rules for this but found none. What am I missing?
Code:
admin@RT-N66U:/tmp/home/root# ebtables -Lnv
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -o ! vlan2 -j DROP
-i ! vlan2 -o wl0.1 -j DROP
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
admin@RT-N66U:/tmp/home/root# iptables -Lnv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 state NEW
77 5467 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1872 658K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
78 6635 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
575 74799 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
102 11288 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1129 179K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan2 0.0.0.0/0 0.0.0.0/0
18 2390 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
206 12255 ACCEPT all -- br0 vlan2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 br0 0.0.0.0/0 0.0.0.0/0 state NEW
36 3004 ACCEPT all -- br0 tun0 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 2097 packets, 716K bytes)
pkts bytes target prot opt in out source destination
Chain FUPNP (0 references)
pkts bytes target prot opt in out source destination
Chain PControls (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0